├── KernelDriver ├── README.md ├── hook.h ├── KernelDriver.vcxproj.user ├── main.cpp ├── memory.h ├── KernelDriver.vcxproj.filters ├── KernelDriver.inf ├── hook.cpp ├── definitions.h ├── memory.cpp └── KernelDriver.vcxproj ├── UMCheat ├── UMCheat.vcxproj.user ├── offsets.hpp ├── offsets.cpp ├── UMCheat.vcxproj.filters ├── UMCheat.vcxproj └── main.cpp ├── README.md └── ApexTool.sln /KernelDriver/README.md: -------------------------------------------------------------------------------- 1 | credits: null 2 | uwu -------------------------------------------------------------------------------- /UMCheat/UMCheat.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /KernelDriver/hook.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "memory.h" 3 | 4 | namespace nullhook 5 | { 6 | bool call_kernel_function(void* kernel_function_address); 7 | NTSTATUS hook_handler(PVOID called_param); 8 | } -------------------------------------------------------------------------------- /KernelDriver/KernelDriver.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Off 5 | 6 | -------------------------------------------------------------------------------- /KernelDriver/main.cpp: -------------------------------------------------------------------------------- 1 | #include "hook.h" 2 | 3 | extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING reg_path) 4 | { 5 | UNREFERENCED_PARAMETER(driver_object); 6 | UNREFERENCED_PARAMETER(reg_path); 7 | 8 | nullhook::call_kernel_function(&nullhook::hook_handler); 9 | 10 | return STATUS_SUCCESS; 11 | } -------------------------------------------------------------------------------- /UMCheat/offsets.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | class OFFSETS 4 | { 5 | 6 | public: 7 | OFFSETS(); 8 | static int OFFSET_MATRIX; 9 | static int OFFSET_RENDER; 10 | static int OFFSET_ENTITYLIST; 11 | static int OFFSET_ORIGIN; 12 | 13 | static int OFFSET_LOCAL_ENT; 14 | 15 | static int OFFSET_TEAM; 16 | static int OFFSET_HEALTH; 17 | static int OFFSET_SHEILD; 18 | 19 | static int OFFSET_LIFE_STATE; 20 | static int OFFSET_BLEED_OUT_STATE; 21 | static int OFFSET_VISIBLE_TIME; 22 | 23 | static int GLOW_CONTEXT; 24 | static int GLOW_VISIBLE_TYPE; 25 | static int GLOW_TYPE; 26 | static int GLOW_COLOR; 27 | }; -------------------------------------------------------------------------------- /KernelDriver/memory.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "definitions.h" 3 | 4 | PVOID get_system_module_base(const char* module_name); 5 | PVOID get_system_module_export(const char* module_name, LPCSTR routine_name); 6 | bool write_memory(void* address, void* buffer, size_t size); 7 | bool write_to_read_only_memory(void* address, void* buffer, size_t size); 8 | ULONG64 get_module_base_x64(PEPROCESS proc, UNICODE_STRING module_name); 9 | bool read_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size); 10 | bool write_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size); 11 | 12 | typedef struct _NULL_MEMORY 13 | { 14 | void* buffer_address; 15 | UINT_PTR address; 16 | ULONGLONG size; 17 | ULONG pid; 18 | BOOLEAN write; 19 | BOOLEAN read; 20 | BOOLEAN req_base; 21 | void* output; 22 | const char* module_name; 23 | ULONG64 base_address; 24 | }NULL_MEMORY; -------------------------------------------------------------------------------- /UMCheat/offsets.cpp: -------------------------------------------------------------------------------- 1 | #include "offsets.hpp" 2 | 3 | OFFSETS::OFFSETS() {}; 4 | 5 | // BOX 6 | int OFFSETS::OFFSET_MATRIX = 0x001B3BD0; // ViewMatrix 7 | int OFFSETS::OFFSET_RENDER = 0x408B768; // ViewRender 8 | int OFFSETS::OFFSET_ENTITYLIST = 0x18DA3F8; // cl_entitylist 9 | int OFFSETS::OFFSET_ORIGIN = 0x14C; // m_vecAbsOrigin 10 | 11 | 12 | // ENTITY 13 | int OFFSETS::OFFSET_LOCAL_ENT = 0x1C898F8; // LocalPlayer 14 | 15 | int OFFSETS::OFFSET_TEAM = 0x0450; // m_iTeamNum 16 | int OFFSETS::OFFSET_HEALTH = 0x0440; // m_iHealth 17 | int OFFSETS::OFFSET_SHEILD = 0x0170; // m_shieldHealth 18 | 19 | int OFFSETS::OFFSET_LIFE_STATE = 0x0798; // m_lifeState 20 | int OFFSETS::OFFSET_BLEED_OUT_STATE = 0x25E8; // m_bleedoutState 21 | int OFFSETS::OFFSET_VISIBLE_TIME = 0x1A4C; // m_visibletime 22 | 23 | 24 | // GLOW 25 | int OFFSETS::GLOW_CONTEXT = 0x3C8; // Script_Highlight_SetCurrentContext 26 | int OFFSETS::GLOW_VISIBLE_TYPE = 0x3D0; // Script_Highlight_SetVisibilityType - 5th mov 27 | int OFFSETS::GLOW_TYPE = 0x2C4; // Script_Highlight_GetState + 4 28 | int OFFSETS::GLOW_COLOR = 0x1D0; // Script_CopyHighlightState 15th mov 29 | -------------------------------------------------------------------------------- /UMCheat/UMCheat.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # External Apex Tool 2 | [![Discord](https://img.shields.io/discord/748288505507217428.svg?label=&logo=discord&logoColor=ffffff&color=7389D8&labelColor=6A7EC2)](https://discord.gg/AEfuvwT) 3 | 4 | ## Infos: 5 | Driver is detected and 2 cheat games will result in your account being banned! 6 | 7 | Glow is based on: 8 | - [NUM1] > Life + Shield 9 | - light pink: 1-50, 10 | - pink: 50-100, 11 | - purple: 80-120, 12 | - dark purple: 120-150, 13 | - blue: 150-180, 14 | - dark blue: 180-200 15 | - [NUM2] > Vision 16 | - darker: can't see enemy, 17 | - lighter: can see enemy 18 | 19 | ## How to: 20 | - Use VS 2019 21 | - Install WDK & SDK 22 | - Make sure that /Qspectre is disabled for driver 23 | - Build driver and cheat as `Release x64` 24 | - Map driver using KDMapper (https://github.com/TheCruZ/kdmapper) 25 | - Launch game 26 | - Launch UM in menu 27 | 28 | ## Credits: 29 | - Null (driver) 30 | - AdrianVPL (glow) 31 | 32 | ## Keybinds: 33 | If you want to change keybinds use: 34 | https://docs.microsoft.com/en-us/windows/win32/inputdev/virtual-key-codes 35 | find interesting key `VK_` or `0x` code and put inside `main.cpp` (CheatUM) at correct place, eg.: 36 | `if (GetAsyncKeyState(VK_NUMPAD1))` -> `if (GetAsyncKeyState(VK_NUMPAD5))` or sth 37 | 38 | ## Hooked function: 39 | If you want to change function which is being hooked by driver find: 40 | `NtOpenCompositionSurfaceSectionInfo` 41 | inside `main.cpp` (CheatUM) & `hook.cpp` (Driver) 42 | and then change it for something else (https://github.com/hfiref0x/NtCall64/blob/master/Source/NtCall64/tables.h) 43 | 44 | Remember! There can't be `__security_cookie` inside, coz its going to cause bsod ;x 45 | 46 | ## Images: 47 | ![img](https://i.imgur.com/cjggaZF.png) 48 | 49 | 50 | glhf 51 | -------------------------------------------------------------------------------- /KernelDriver/KernelDriver.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Driver Files 24 | 25 | 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | 38 | 39 | Source Files 40 | 41 | 42 | Source Files 43 | 44 | 45 | Source Files 46 | 47 | 48 | -------------------------------------------------------------------------------- /KernelDriver/KernelDriver.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; KernelDriver.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=KernelDriver.cat 11 | DriverVer= ; TODO: set DriverVer in stampinf property pages 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | KernelDriver_Device_CoInstaller_CopyFiles = 11 16 | 17 | ; ================= Class section ===================== 18 | 19 | [ClassInstall32] 20 | Addreg=SampleClassReg 21 | 22 | [SampleClassReg] 23 | HKR,,,0,%ClassName% 24 | HKR,,Icon,,-5 25 | 26 | [SourceDisksNames] 27 | 1 = %DiskName%,,,"" 28 | 29 | [SourceDisksFiles] 30 | KernelDriver.sys = 1,, 31 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames 32 | 33 | ;***************************************** 34 | ; Install Section 35 | ;***************************************** 36 | 37 | [Manufacturer] 38 | %ManufacturerName%=Standard,NT$ARCH$ 39 | 40 | [Standard.NT$ARCH$] 41 | %KernelDriver.DeviceDesc%=KernelDriver_Device, Root\KernelDriver ; TODO: edit hw-id 42 | 43 | [KernelDriver_Device.NT] 44 | CopyFiles=Drivers_Dir 45 | 46 | [Drivers_Dir] 47 | KernelDriver.sys 48 | 49 | ;-------------- Service installation 50 | [KernelDriver_Device.NT.Services] 51 | AddService = KernelDriver,%SPSVCINST_ASSOCSERVICE%, KernelDriver_Service_Inst 52 | 53 | ; -------------- KernelDriver driver install sections 54 | [KernelDriver_Service_Inst] 55 | DisplayName = %KernelDriver.SVCDESC% 56 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 57 | StartType = 3 ; SERVICE_DEMAND_START 58 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 59 | ServiceBinary = %12%\KernelDriver.sys 60 | 61 | ; 62 | ;--- KernelDriver_Device Coinstaller installation ------ 63 | ; 64 | 65 | [KernelDriver_Device.NT.CoInstallers] 66 | AddReg=KernelDriver_Device_CoInstaller_AddReg 67 | CopyFiles=KernelDriver_Device_CoInstaller_CopyFiles 68 | 69 | [KernelDriver_Device_CoInstaller_AddReg] 70 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" 71 | 72 | [KernelDriver_Device_CoInstaller_CopyFiles] 73 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll 74 | 75 | [KernelDriver_Device.NT.Wdf] 76 | KmdfService = KernelDriver, KernelDriver_wdfsect 77 | [KernelDriver_wdfsect] 78 | KmdfLibraryVersion = $KMDFVERSION$ 79 | 80 | [Strings] 81 | SPSVCINST_ASSOCSERVICE= 0x00000002 82 | ManufacturerName="" ;TODO: Replace with your manufacturer name 83 | ClassName="Samples" ; TODO: edit ClassName 84 | DiskName = "KernelDriver Installation Disk" 85 | KernelDriver.DeviceDesc = "KernelDriver Device" 86 | KernelDriver.SVCDESC = "KernelDriver Service" 87 | -------------------------------------------------------------------------------- /KernelDriver/hook.cpp: -------------------------------------------------------------------------------- 1 | #include "hook.h" 2 | 3 | bool nullhook::call_kernel_function(void* kernel_function_address) 4 | { 5 | if (!kernel_function_address) 6 | return false; 7 | 8 | PVOID* function = reinterpret_cast(get_system_module_export("\\SystemRoot\\System32\\drivers\\dxgkrnl.sys", 9 | "NtOpenCompositionSurfaceSectionInfo")); // NtOpenCompositionSurfaceSectionInfo 10 | 11 | if (!function) 12 | return false; 13 | 14 | BYTE orig[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; //0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 15 | 16 | BYTE shell_code[] = { 0x48, 0xB8 }; // mov rax, xxx // 0x48 - 0xB8 17 | BYTE shell_code_end[] = { 0xFF, 0xE0 }; //jmp rax // 0xFF - 0xE0 18 | 19 | RtlSecureZeroMemory(&orig, sizeof(orig)); 20 | memcpy((PVOID)((ULONG_PTR)orig), &shell_code, sizeof(shell_code)); 21 | uintptr_t hook_address = reinterpret_cast(kernel_function_address); 22 | memcpy((PVOID)((ULONG_PTR)orig + sizeof(shell_code)), &hook_address, sizeof(void*)); 23 | memcpy((PVOID)((ULONG_PTR)orig + sizeof(shell_code) + sizeof(void*)), &shell_code_end, sizeof(shell_code_end)); 24 | 25 | write_to_read_only_memory(function, &orig, sizeof(orig)); 26 | 27 | return true; 28 | } 29 | 30 | NTSTATUS nullhook::hook_handler(PVOID called_param) 31 | { 32 | NULL_MEMORY* instructions = (NULL_MEMORY*)called_param; 33 | 34 | if (instructions->req_base != FALSE) 35 | { 36 | ANSI_STRING AS; 37 | UNICODE_STRING ModuleName; 38 | 39 | RtlInitAnsiString(&AS, instructions->module_name); 40 | RtlAnsiStringToUnicodeString(&ModuleName, &AS, TRUE); 41 | 42 | PEPROCESS process; 43 | ULONG64 base_address64 = NULL; 44 | if ((HANDLE)instructions->pid != 0) { 45 | PsLookupProcessByProcessId((HANDLE)instructions->pid, &process); 46 | base_address64 = get_module_base_x64(process, ModuleName); 47 | } 48 | instructions->base_address = base_address64; 49 | RtlFreeUnicodeString(&ModuleName); 50 | } 51 | 52 | if (instructions->write != FALSE) 53 | { 54 | if (instructions->address < 0x7FFFFFFFFFFF && instructions->address > 0) 55 | { 56 | PVOID kernelBuff = ExAllocatePool(NonPagedPool, instructions->size); 57 | 58 | if (!kernelBuff) 59 | { 60 | return STATUS_UNSUCCESSFUL; 61 | } 62 | 63 | if (!memcpy(kernelBuff, instructions->buffer_address, instructions->size)) 64 | { 65 | return STATUS_UNSUCCESSFUL; 66 | } 67 | 68 | PEPROCESS process; 69 | if ((HANDLE)instructions->pid != 0) { 70 | PsLookupProcessByProcessId((HANDLE)instructions->pid, &process); 71 | write_kernel_memory((HANDLE)instructions->pid, instructions->address, kernelBuff, instructions->size); 72 | } 73 | ExFreePool(kernelBuff); 74 | } 75 | } 76 | 77 | if (instructions->read != FALSE) 78 | { 79 | if (instructions->address < 0x7FFFFFFFFFFF && instructions->address > 0) 80 | { 81 | read_kernel_memory((HANDLE)instructions->pid, instructions->address, instructions->output, instructions->size); 82 | } 83 | } 84 | 85 | return STATUS_SUCCESS; 86 | } -------------------------------------------------------------------------------- /ApexTool.sln: -------------------------------------------------------------------------------- 1 | Microsoft Visual Studio Solution File, Format Version 12.00 2 | # Visual Studio Version 19 3 | VisualStudioVersion = 16.9.31129.286 4 | MinimumVisualStudioVersion = 16.0.29905.134 5 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Driver", "KernelDriver\KernelDriver.vcxproj", "{59AD331E-D3D4-46C4-8759-4A02AB42353A}" 6 | EndProject 7 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Usermode", "UMCheat\UMCheat.vcxproj", "{64DE4F42-B12F-431D-89D5-89F8C41249B5}" 8 | EndProject 9 | Global 10 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 11 | Debug|ARM = Debug|ARM 12 | Debug|ARM64 = Debug|ARM64 13 | Debug|x64 = Debug|x64 14 | Debug|x86 = Debug|x86 15 | Release|ARM = Release|ARM 16 | Release|ARM64 = Release|ARM64 17 | Release|x64 = Release|x64 18 | Release|x86 = Release|x86 19 | EndGlobalSection 20 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 21 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM.ActiveCfg = Debug|ARM 22 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM.Build.0 = Debug|ARM 23 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM.Deploy.0 = Debug|ARM 24 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM64.ActiveCfg = Debug|ARM64 25 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM64.Build.0 = Debug|ARM64 26 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|ARM64.Deploy.0 = Debug|ARM64 27 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x64.ActiveCfg = Debug|x64 28 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x64.Build.0 = Debug|x64 29 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x64.Deploy.0 = Debug|x64 30 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x86.ActiveCfg = Debug|Win32 31 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x86.Build.0 = Debug|Win32 32 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Debug|x86.Deploy.0 = Debug|Win32 33 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM.ActiveCfg = Release|ARM 34 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM.Build.0 = Release|ARM 35 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM.Deploy.0 = Release|ARM 36 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM64.ActiveCfg = Release|ARM64 37 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM64.Build.0 = Release|ARM64 38 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|ARM64.Deploy.0 = Release|ARM64 39 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x64.ActiveCfg = Release|x64 40 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x64.Build.0 = Release|x64 41 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x64.Deploy.0 = Release|x64 42 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x86.ActiveCfg = Release|Win32 43 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x86.Build.0 = Release|Win32 44 | {59AD331E-D3D4-46C4-8759-4A02AB42353A}.Release|x86.Deploy.0 = Release|Win32 45 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|ARM.ActiveCfg = Debug|Win32 46 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|ARM64.ActiveCfg = Debug|Win32 47 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x64.ActiveCfg = Debug|x64 48 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x64.Build.0 = Debug|x64 49 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x86.ActiveCfg = Debug|Win32 50 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Debug|x86.Build.0 = Debug|Win32 51 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|ARM.ActiveCfg = Release|Win32 52 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|ARM64.ActiveCfg = Release|Win32 53 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x64.ActiveCfg = Release|x64 54 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x64.Build.0 = Release|x64 55 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x86.ActiveCfg = Release|Win32 56 | {64DE4F42-B12F-431D-89D5-89F8C41249B5}.Release|x86.Build.0 = Release|Win32 57 | EndGlobalSection 58 | GlobalSection(SolutionProperties) = preSolution 59 | HideSolutionNode = FALSE 60 | EndGlobalSection 61 | GlobalSection(ExtensibilityGlobals) = postSolution 62 | SolutionGuid = {689D2A6E-68F2-42AE-8B13-36F3041DB588} 63 | EndGlobalSection 64 | EndGlobal 65 | -------------------------------------------------------------------------------- /KernelDriver/definitions.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #pragma comment(lib, "ntoskrnl.lib") 8 | 9 | typedef enum _SYSTEM_INFORMATION_CLASS 10 | { 11 | SystemBasicInformation, 12 | SystemProcessorInformation, 13 | SystemPerformanceInformation, 14 | SystemTimeOfDayInformation, 15 | SystemPathInformation, 16 | SystemProcessInformation, 17 | SystemCallCountInformation, 18 | SystemDeviceInformation, 19 | SystemProcessorPerformanceInformation, 20 | SystemFlagsInformation, 21 | SystemCallTimeInformation, 22 | SystemModuleInformation = 0x0B 23 | } SYSTEM_INFORMATION_CLASS, 24 | * PSYSTEM_INFORMATION_CLASS; 25 | 26 | typedef struct _RTL_PROCESS_MODULE_INFORMATION 27 | { 28 | HANDLE Section; 29 | PVOID MappedBase; 30 | PVOID ImageBase; 31 | ULONG ImageSize; 32 | ULONG Flags; 33 | USHORT LoadOrderIndex; 34 | USHORT InitOrderIndex; 35 | USHORT LoadCount; 36 | USHORT OffsetToFileName; 37 | UCHAR FullPathName[256]; 38 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION; 39 | 40 | typedef struct _RTL_PROCESS_MODULES 41 | { 42 | ULONG NumberOfModules; 43 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 44 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES; 45 | 46 | typedef struct _PEB_LDR_DATA { 47 | ULONG Length; 48 | BOOLEAN Initialized; 49 | PVOID SsHandle; 50 | LIST_ENTRY ModuleListLoadOrder; 51 | LIST_ENTRY ModuleListMemoryOrder; 52 | LIST_ENTRY ModuleListInitOrder; 53 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 54 | 55 | typedef struct _LDR_DATA_TABLE_ENTRY { 56 | LIST_ENTRY InLoadOrderModuleList; 57 | LIST_ENTRY InMemoryOrderModuleList; 58 | LIST_ENTRY InInitializationOrderModuleList; 59 | PVOID DllBase; 60 | PVOID EntryPoint; 61 | ULONG SizeOfImage; // in bytes 62 | UNICODE_STRING FullDllName; 63 | UNICODE_STRING BaseDllName; 64 | ULONG Flags; // LDR_* 65 | USHORT LoadCount; 66 | USHORT TlsIndex; 67 | LIST_ENTRY HashLinks; 68 | PVOID SectionPointer; 69 | ULONG CheckSum; 70 | ULONG TimeDateStamp; 71 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 72 | 73 | typedef struct _RTL_USER_PROCESS_PARAMETERS { 74 | BYTE Reserved1[16]; 75 | PVOID Reserved2[10]; 76 | UNICODE_STRING ImagePathName; 77 | UNICODE_STRING CommandLine; 78 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; 79 | 80 | typedef void(__stdcall* PPS_POST_PROCESS_INIT_ROUTINE)(void); // not exported 81 | 82 | typedef struct _PEB { 83 | BYTE Reserved1[2]; 84 | BYTE BeingDebugged; 85 | BYTE Reserved2[1]; 86 | PVOID Reserved3[2]; 87 | PPEB_LDR_DATA Ldr; 88 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 89 | PVOID Reserved4[3]; 90 | PVOID AtlThunkSListPtr; 91 | PVOID Reserved5; 92 | ULONG Reserved6; 93 | PVOID Reserved7; 94 | ULONG Reserved8; 95 | ULONG AtlThunkSListPtr32; 96 | PVOID Reserved9[45]; 97 | BYTE Reserved10[96]; 98 | PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; 99 | BYTE Reserved11[128]; 100 | PVOID Reserved12[1]; 101 | ULONG SessionId; 102 | } PEB, * PPEB; 103 | 104 | extern "C" __declspec(dllimport) 105 | NTSTATUS NTAPI ZwProtectVirtualMemory( 106 | HANDLE ProcessHandle, 107 | PVOID * BaseAddress, 108 | PULONG ProtectSize, 109 | ULONG NewProtect, 110 | PULONG OldProtect 111 | ); 112 | 113 | extern "C" NTKERNELAPI 114 | PVOID 115 | NTAPI 116 | RtlFindExportedRoutineByName( 117 | _In_ PVOID ImageBase, 118 | _In_ PCCH RoutineNam 119 | ); 120 | 121 | extern "C" NTSTATUS ZwQuerySystemInformation(ULONG InfoClass, PVOID Buffer, ULONG Length, PULONG ReturnLength); 122 | 123 | extern "C" NTKERNELAPI 124 | PPEB 125 | PsGetProcessPeb( 126 | IN PEPROCESS Process 127 | ); 128 | 129 | extern "C" NTSTATUS NTAPI MmCopyVirtualMemory 130 | ( 131 | PEPROCESS SourceProcess, 132 | PVOID SourceAddress, 133 | PEPROCESS TargetProcess, 134 | PVOID TargetAddress, 135 | SIZE_T BufferSize, 136 | KPROCESSOR_MODE PreviousMode, 137 | PSIZE_T ReturnSize 138 | ); -------------------------------------------------------------------------------- /KernelDriver/memory.cpp: -------------------------------------------------------------------------------- 1 | #include "memory.h" 2 | 3 | PVOID get_system_module_base(const char* module_name) 4 | { 5 | ULONG bytes = 0; 6 | NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, NULL, bytes, &bytes); 7 | 8 | if (!bytes) 9 | return NULL; 10 | 11 | PRTL_PROCESS_MODULES modules = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, 0x4e554c4c); 12 | 13 | status = ZwQuerySystemInformation(SystemModuleInformation, modules, bytes, &bytes); 14 | 15 | if (!NT_SUCCESS(status)) 16 | return NULL; 17 | 18 | 19 | 20 | PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules; 21 | PVOID module_base = 0, module_size = 0; 22 | 23 | for (ULONG i = 0; i < modules->NumberOfModules; i++) 24 | { 25 | if (strcmp((char*)module[i].FullPathName, module_name) == NULL) 26 | { 27 | module_base = module[i].ImageBase; 28 | module_size = (PVOID)module[i].ImageSize; 29 | break; 30 | } 31 | } 32 | 33 | if (modules) 34 | ExFreePoolWithTag(modules, NULL); 35 | 36 | if (module_base <= NULL) 37 | return NULL; 38 | 39 | return module_base; 40 | } 41 | 42 | PVOID get_system_module_export(const char* module_name, LPCSTR routine_name) 43 | { 44 | PVOID lpModule = get_system_module_base(module_name); 45 | 46 | if (!lpModule) 47 | return NULL; 48 | 49 | return RtlFindExportedRoutineByName(lpModule, routine_name); 50 | } 51 | 52 | bool write_memory(void* address, void* buffer, size_t size) 53 | { 54 | if (!RtlCopyMemory(address, buffer, size)) 55 | { 56 | return false; 57 | } 58 | else 59 | { 60 | return true; 61 | } 62 | } 63 | 64 | bool write_to_read_only_memory(void* address, void* buffer, size_t size) 65 | { 66 | PMDL Mdl = IoAllocateMdl(address, size, FALSE, FALSE, NULL); 67 | 68 | if (!Mdl) 69 | return false; 70 | 71 | MmProbeAndLockPages(Mdl, KernelMode, IoReadAccess); 72 | PVOID Mapping = MmMapLockedPagesSpecifyCache(Mdl, KernelMode, MmNonCached, NULL, FALSE, NormalPagePriority); 73 | MmProtectMdlSystemAddress(Mdl, PAGE_READWRITE); 74 | 75 | write_memory(Mapping, buffer, size); 76 | 77 | MmUnmapLockedPages(Mapping, Mdl); 78 | MmUnlockPages(Mdl); 79 | IoFreeMdl(Mdl); 80 | 81 | return true; 82 | } 83 | 84 | ULONG64 get_module_base_x64(PEPROCESS proc, UNICODE_STRING module_name) 85 | { 86 | PPEB pPeb = PsGetProcessPeb(proc); 87 | 88 | if (!pPeb) 89 | { 90 | return NULL; 91 | } 92 | 93 | KAPC_STATE state; 94 | 95 | KeStackAttachProcess(proc, &state); 96 | 97 | PPEB_LDR_DATA pLdr = (PPEB_LDR_DATA)pPeb->Ldr; 98 | 99 | if (!pLdr) 100 | { 101 | KeUnstackDetachProcess(&state); 102 | return NULL; 103 | } 104 | 105 | for (PLIST_ENTRY list = (PLIST_ENTRY)pLdr->ModuleListLoadOrder.Flink; list != &pLdr->ModuleListLoadOrder; list = (PLIST_ENTRY)list->Flink) 106 | { 107 | PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(list, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList); 108 | 109 | if (RtlCompareUnicodeString(&pEntry->BaseDllName, &module_name, TRUE) == NULL) 110 | { 111 | ULONG64 baseAddr = (ULONG64)pEntry->DllBase; 112 | KeUnstackDetachProcess(&state); 113 | return baseAddr; 114 | } 115 | } 116 | 117 | KeUnstackDetachProcess(&state); 118 | return NULL; 119 | } 120 | 121 | bool read_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size) 122 | { 123 | if (!address || !buffer || !size) 124 | return false; 125 | 126 | SIZE_T bytes = 0; 127 | NTSTATUS status = STATUS_SUCCESS; 128 | PEPROCESS process; 129 | 130 | if ((HANDLE)pid == 0) return false; 131 | PsLookupProcessByProcessId((HANDLE)pid, &process); 132 | status = MmCopyVirtualMemory(process, (void*)address, (PEPROCESS)PsGetCurrentProcess(), (void*)buffer, size, KernelMode, &bytes); 133 | 134 | if (!NT_SUCCESS(status)) 135 | { 136 | return false; 137 | } 138 | else 139 | { 140 | return true; 141 | } 142 | } 143 | 144 | bool write_kernel_memory(HANDLE pid, uintptr_t address, void* buffer, SIZE_T size) 145 | { 146 | if (!address || !buffer || !size) 147 | return false; 148 | 149 | NTSTATUS status = STATUS_SUCCESS; 150 | PEPROCESS process; 151 | if ((HANDLE)pid == 0) return false; 152 | PsLookupProcessByProcessId((HANDLE)pid, &process); 153 | KAPC_STATE state; 154 | KeStackAttachProcess((PEPROCESS)process, &state); 155 | 156 | MEMORY_BASIC_INFORMATION info; 157 | 158 | status = ZwQueryVirtualMemory(ZwCurrentProcess(), (PVOID)address, MemoryBasicInformation, &info, sizeof(info), NULL); 159 | if (!NT_SUCCESS(status)) 160 | { 161 | KeUnstackDetachProcess(&state); 162 | return false; 163 | } 164 | 165 | if (((uintptr_t)info.BaseAddress + info.RegionSize) < (address + size)) 166 | { 167 | KeUnstackDetachProcess(&state); 168 | return false; 169 | } 170 | 171 | if (!(info.State & MEM_COMMIT) || (info.Protect & (PAGE_GUARD | PAGE_NOACCESS))) 172 | { 173 | KeUnstackDetachProcess(&state); 174 | return false; 175 | } 176 | 177 | if ((info.Protect & PAGE_EXECUTE_READWRITE) || (info.Protect & PAGE_EXECUTE_WRITECOPY) 178 | || (info.Protect & PAGE_READWRITE) || (info.Protect & PAGE_WRITECOPY)) 179 | { 180 | RtlCopyMemory((void*)address, buffer, size); 181 | } 182 | KeUnstackDetachProcess(&state); 183 | return true; 184 | } -------------------------------------------------------------------------------- /UMCheat/UMCheat.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | {64DE4F42-B12F-431D-89D5-89F8C41249B5} 24 | UMCheat 25 | 10.0 26 | Usermode 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | MultiByte 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | stdcpp17 92 | 93 | 94 | Console 95 | true 96 | 97 | 98 | 99 | 100 | Level3 101 | true 102 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 103 | true 104 | 105 | 106 | Console 107 | true 108 | 109 | 110 | 111 | 112 | Level3 113 | true 114 | true 115 | true 116 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 117 | true 118 | 119 | 120 | Console 121 | true 122 | true 123 | true 124 | 125 | 126 | 127 | 128 | Level3 129 | true 130 | true 131 | true 132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 133 | true 134 | stdcpplatest 135 | 136 | 137 | Console 138 | true 139 | true 140 | true 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | -------------------------------------------------------------------------------- /KernelDriver/KernelDriver.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | {59AD331E-D3D4-46C4-8759-4A02AB42353A} 39 | {1bc93793-694f-48fe-9372-81e2b05556fd} 40 | v4.5 41 | 12.0 42 | Debug 43 | Win32 44 | KernelDriver 45 | Driver 46 | 47 | 48 | 49 | Windows10 50 | true 51 | WindowsKernelModeDriver10.0 52 | Driver 53 | KMDF 54 | Universal 55 | 56 | 57 | Windows10 58 | false 59 | WindowsKernelModeDriver10.0 60 | Driver 61 | KMDF 62 | Universal 63 | 64 | 65 | Windows10 66 | true 67 | WindowsKernelModeDriver10.0 68 | Driver 69 | KMDF 70 | Universal 71 | 72 | 73 | Windows10 74 | false 75 | WindowsKernelModeDriver10.0 76 | Driver 77 | KMDF 78 | Universal 79 | false 80 | 81 | 82 | Windows10 83 | true 84 | WindowsKernelModeDriver10.0 85 | Driver 86 | KMDF 87 | Universal 88 | 89 | 90 | Windows10 91 | false 92 | WindowsKernelModeDriver10.0 93 | Driver 94 | KMDF 95 | Universal 96 | 97 | 98 | Windows10 99 | true 100 | WindowsKernelModeDriver10.0 101 | Driver 102 | KMDF 103 | Universal 104 | 105 | 106 | Windows10 107 | false 108 | WindowsKernelModeDriver10.0 109 | Driver 110 | KMDF 111 | Universal 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | DbgengKernelDebugger 123 | 124 | 125 | DbgengKernelDebugger 126 | 127 | 128 | DbgengKernelDebugger 129 | 130 | 131 | DbgengKernelDebugger 132 | false 133 | 134 | 135 | DbgengKernelDebugger 136 | 137 | 138 | DbgengKernelDebugger 139 | 140 | 141 | DbgengKernelDebugger 142 | 143 | 144 | DbgengKernelDebugger 145 | 146 | 147 | 148 | DriverEntry 149 | 150 | 151 | false 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | -------------------------------------------------------------------------------- /UMCheat/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include "offsets.cpp" 13 | #include 14 | 15 | using namespace std; 16 | 17 | namespace APEXTool { 18 | namespace Controls 19 | { 20 | bool colors_based_on_life_and_shield = true; 21 | bool colors_based_on_vision = false; 22 | }; 23 | } 24 | 25 | LPCTSTR WinName = "Apex Legends"; 26 | HWND hWnd = FindWindow(NULL, WinName); 27 | 28 | uintptr_t pID; 29 | uintptr_t moduleBase; 30 | uintptr_t localPlayer; 31 | uintptr_t entList; 32 | uintptr_t viewRenderer; 33 | uintptr_t viewMatrix; 34 | 35 | typedef struct _NULL_MEMORY 36 | { 37 | void* buffer_address; 38 | UINT_PTR address; 39 | ULONGLONG size; 40 | ULONG pid; 41 | BOOLEAN write; 42 | BOOLEAN read; 43 | BOOLEAN req_base; 44 | void* output; 45 | const char* module_name; 46 | ULONG64 base_address; 47 | }NULL_MEMORY; 48 | 49 | uintptr_t base_address = 0; 50 | uint32_t process_id = 0; 51 | 52 | template 53 | uint64_t call_hook(const Arg ... args) 54 | { 55 | void* hooked_func = GetProcAddress(LoadLibrary("win32u.dll"), "NtOpenCompositionSurfaceSectionInfo"); // NtOpenCompositionSurfaceSectionInfo 56 | 57 | auto func = static_cast(hooked_func); 58 | 59 | return func(args ...); 60 | } 61 | 62 | struct HandleDisposer 63 | { 64 | using pointer = HANDLE; 65 | void operator()(HANDLE handle) const 66 | { 67 | if (handle != NULL || handle != INVALID_HANDLE_VALUE) 68 | { 69 | CloseHandle(handle); 70 | } 71 | } 72 | }; 73 | 74 | using unique_handle = unique_ptr; 75 | struct GlowMode 76 | { 77 | int8_t GeneralGlowMode, BorderGlowMode, BorderSize, TransparentLevel; 78 | }; 79 | 80 | uint32_t get_process_id(string_view process_name) 81 | { 82 | PROCESSENTRY32 processentry; 83 | const unique_handle snapshot_handle(CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL)); 84 | 85 | if (snapshot_handle.get() == INVALID_HANDLE_VALUE) 86 | return NULL; 87 | 88 | processentry.dwSize = sizeof(MODULEENTRY32); 89 | 90 | while (Process32Next(snapshot_handle.get(), &processentry) == TRUE) 91 | { 92 | if (process_name.compare(processentry.szExeFile) == NULL) 93 | { 94 | return processentry.th32ProcessID; 95 | } 96 | } 97 | return NULL; 98 | } 99 | 100 | static ULONG64 get_module_base_address(const char* module_name) 101 | { 102 | NULL_MEMORY instructions = { 0 }; 103 | instructions.pid = process_id; 104 | instructions.req_base = TRUE; 105 | instructions.read = FALSE; 106 | instructions.write = FALSE; 107 | instructions.module_name = module_name; 108 | call_hook(&instructions); 109 | 110 | ULONG64 base = NULL; 111 | base = instructions.base_address; 112 | return base; 113 | } 114 | template 115 | T Read(uintptr_t read_address) 116 | { 117 | T response{}; 118 | NULL_MEMORY instructions; 119 | instructions.pid = process_id; 120 | instructions.size = sizeof(T); 121 | instructions.address = read_address; 122 | instructions.read = TRUE; 123 | instructions.write = FALSE; 124 | instructions.req_base = FALSE; 125 | instructions.output = &response; 126 | call_hook(&instructions); 127 | 128 | return response; 129 | } 130 | 131 | bool write_memory(UINT_PTR write_address, UINT_PTR source_address, SIZE_T write_size) 132 | { 133 | NULL_MEMORY instructions; 134 | instructions.address = write_address; 135 | instructions.pid = process_id; 136 | instructions.write = TRUE; 137 | instructions.read = FALSE; 138 | instructions.req_base = FALSE; 139 | instructions.buffer_address = (void*)source_address; 140 | instructions.size = write_size; 141 | 142 | call_hook(&instructions); 143 | 144 | return true; 145 | } 146 | 147 | template 148 | bool write(UINT_PTR write_address, const S& value) 149 | { 150 | return write_memory(write_address, (UINT_PTR)&value, sizeof(S)); 151 | } 152 | 153 | 154 | DWORD64 GetEntityByID(int Ent, DWORD64 Base) 155 | { 156 | DWORD64 EntityList = Base + OFFSETS::OFFSET_ENTITYLIST; 157 | DWORD64 BaseEntity = Read(EntityList); 158 | if (!BaseEntity) 159 | return NULL; 160 | return Read(EntityList + (Ent << 5)); 161 | } 162 | 163 | string random_string(const int len) { 164 | const string alpha_numeric("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890"); 165 | 166 | default_random_engine generator{ random_device{}() }; 167 | const uniform_int_distribution< string::size_type > distribution{ 0, alpha_numeric.size() - 1 }; 168 | 169 | string str(len, 0); 170 | for (auto& it : str) { 171 | it = alpha_numeric[distribution(generator)]; 172 | } 173 | 174 | return str; 175 | } 176 | 177 | float entityNewVisTime = 0; 178 | float entityOldVisTime[100]; 179 | int visCooldownTime[100]; 180 | int entityHealthAndShield[100]; 181 | 182 | int main() 183 | { 184 | string console_title = "Apex Tool - "; 185 | console_title += random_string(16).c_str(); 186 | SetConsoleTitle(console_title.c_str()); 187 | 188 | if (hWnd) 189 | cout << "[+] Found Apex Legends process..." << endl; 190 | else 191 | cout << "[+] Cant find Apex Legends process..." << endl; 192 | 193 | process_id = get_process_id("r5apex.exe"); // r5apex // EasyAntiCheat_launcher 194 | base_address = get_module_base_address("r5apex.exe"); // r5apex // EasyAntiCheat_launcher 195 | cout << "[i] Process ID: " << process_id << "\n" 196 | << "[i] Base Address: " << base_address << "\n" 197 | << "[+] Hooking game...\n\n" 198 | << "[!] Only one option can be enabled at once!" << endl; 199 | SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_GREEN); 200 | cout << " >> [NUM1] Glow based on life and shield: Enabled" << endl; 201 | SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED); 202 | cout << " >> [NUM2] Glow based on vision: Disabled" << endl; 203 | SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_INTENSITY | FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE); 204 | 205 | while (true) 206 | { 207 | if (GetAsyncKeyState(VK_NUMPAD1)) 208 | { 209 | if (!APEXTool::Controls::colors_based_on_life_and_shield) 210 | { 211 | APEXTool::Controls::colors_based_on_life_and_shield = true; 212 | APEXTool::Controls::colors_based_on_vision = false; 213 | 214 | system("CLS"); 215 | cout << "[i] Process ID: " << process_id << "\n" 216 | << "[i] Base Address: " << base_address << "\n" 217 | << "[+] Hooking game...\n\n" 218 | << "[!] Only one option can be enabled at once!" << endl; 219 | SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_GREEN); 220 | cout << " >> [NUM1] Glow based on life and shield: Enabled" << endl; 221 | SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED); 222 | cout << " >> [NUM2] Glow based on vision: Disabled" << endl; 223 | SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_INTENSITY | FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE); 224 | } 225 | } 226 | 227 | if (GetAsyncKeyState(VK_NUMPAD2)) 228 | { 229 | if (!APEXTool::Controls::colors_based_on_vision) 230 | { 231 | APEXTool::Controls::colors_based_on_life_and_shield = false; 232 | APEXTool::Controls::colors_based_on_vision = true; 233 | 234 | system("CLS"); 235 | cout << "[i] Process ID: " << process_id << "\n" 236 | << "[i] Base Address: " << base_address << "\n" 237 | << "[+] Hooking game...\n\n" 238 | << "[!] Only one option can be enabled at once!" << endl; 239 | SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED); 240 | cout << " >> [NUM1] Glow based on life and shield: Disabled" << endl; 241 | SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_GREEN); 242 | cout << " >> [NUM2] Glow based on vision: Enabled" << endl; 243 | SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_INTENSITY | FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE); 244 | } 245 | } 246 | // local player 247 | uintptr_t locPlayer = Read(base_address + OFFSETS::OFFSET_LOCAL_ENT); 248 | 249 | for (int i = 0; i < 100; i++) 250 | { 251 | DWORD64 Entity = GetEntityByID(i, base_address); 252 | if (Entity == 0) 253 | continue; 254 | 255 | DWORD64 EntityHandle = Read(Entity + 0x589); 256 | string Identifier = Read(EntityHandle); 257 | LPCSTR IdentifierC = Identifier.c_str(); 258 | 259 | if (strcmp(IdentifierC, "player")) 260 | { 261 | int playerTeamID = Read(locPlayer + OFFSETS::OFFSET_TEAM); // player team id 262 | int entityTeamID = Read(Entity + OFFSETS::OFFSET_TEAM); // entity team id 263 | 264 | int entityHealth = Read(Entity + OFFSETS::OFFSET_HEALTH); // entity health 265 | int entityShield = Read(Entity + OFFSETS::OFFSET_SHEILD); // entity shield 266 | 267 | int entityHnS = (entityHealth + entityShield)/2; 268 | 269 | entityNewVisTime = Read(Entity + OFFSETS::OFFSET_VISIBLE_TIME); 270 | 271 | write(Entity + OFFSETS::GLOW_CONTEXT, 1); 272 | write(Entity + OFFSETS::GLOW_VISIBLE_TYPE, 2); 273 | write(Entity + OFFSETS::GLOW_TYPE, { 101, 101, 100, 100 }); // GeneralGlowMode, BorderGlowMode, BorderSize, TransparentLevel; 274 | 275 | static float r = 0, g = 0, b = 0; 276 | 277 | if (APEXTool::Controls::colors_based_on_life_and_shield) // life'n'shield 278 | { 279 | if (playerTeamID != entityTeamID) // enemies 280 | { 281 | entityHealthAndShield[i] = entityHnS; 282 | int red = (int)min(2 * (100 - entityHealthAndShield[i]), 100.f); 283 | int green = (int)min(2 * entityHealthAndShield[i], 100.f); 284 | 285 | r = red / 100.0f; 286 | g = green / 100.0f; 287 | b = 10; 288 | } 289 | else // allies 290 | { 291 | entityHealthAndShield[i] = entityHnS; 292 | int red = (int)min(2 * (100 - entityHealthAndShield[i]), 100.f); 293 | int green = (int)min(2 * entityHealthAndShield[i], 100.f); 294 | 295 | r = red / 100.0f; 296 | g = green / 100.0f; 297 | b = 30; 298 | } 299 | } 300 | else // vision 301 | { 302 | if (entityNewVisTime != entityOldVisTime[i]) // VISIBLE enemies 303 | { 304 | visCooldownTime[i] = 32; // low values = less latency 305 | 306 | r = 61.f; 307 | g = 2.f; 308 | b = 2.f; 309 | 310 | entityOldVisTime[i] = entityNewVisTime; 311 | } 312 | else 313 | { 314 | if (visCooldownTime[i] <= 0) // NON-VISIBLE enemies 315 | { 316 | r = 2.f; 317 | g = 2.f; 318 | b = 61.f; 319 | } 320 | } 321 | } 322 | 323 | write(Entity + OFFSETS::GLOW_COLOR, r); 324 | write(Entity + 0x1D4, g); 325 | write(Entity + 0x1D8, b); 326 | 327 | if (visCooldownTime[i] >= 0) visCooldownTime[i] -= 1; 328 | } 329 | } 330 | } 331 | } --------------------------------------------------------------------------------